January 29, 2018

What is Phishing, and Why Do You Need to Know?

Phishing (see here, here & here) is a primary method for cyber criminals to gain access to email accounts and systems using deception rather than defeating security protections. In a basic phishing attack, a cyber criminal will send an email that looks legitimate, enticing the victim to click on a link or open an attachment. The click might load malware onto the victim’s computer or take the victim to a realistic-looking website. In most cases, the objective is to capture user credentials without the victim knowing. Cyber criminals have found it is generally easier to deceive a victim into clicking rather than breaking through technology defenses.

One of the most famous phishing attacks resulted in the release of Clinton’s emails (see here & here). The cyber criminals enticed a senior Clinton aide to go to a fake website to change his password, which allowed the criminals to capture the username and password to the email account.

Phishing can be used for a wide range of cyber crime (see here & here). Both Ransomware and Social Engineering Fraud (SEF) attacks typically utilize phishing attacks to gain access to email accounts or load ransomware onto a victim’s computer.

A trending phishing attack is Payroll Processing Cyber Crime (see our prior post here), where criminals use a breached system to change payroll deposit instructions. The cyber criminal typically uses a phishing attack to gain access, and then changes direct deposit bank account instructions so payroll money is directed to the criminal rather than the employees.

Krebs on Security (see here) has noted that criminals are upping their game, generating significantly more sophisticated phishing emails and setting up fake websites that appear more legitimate and secure, often using SSL/https. Some malware introduced by phishing also searches the victim’s system for contact information to use for subsequent phishing attacks (see here).

What can you do to prevent phishing attacks from being successful? Since employees are the target, the most important step is to train employees for phishing awareness. Here are some tips from a variety of websites (see here, here, here & here).

Be suspicious

Check links

Check the sender – the sender may be fake

Don’t open unusual attachments

Keep software & anti-virus protections up to date

Lastly, or maybe first, make sure you are properly covered with comprehensive Cyber Risk Insurance. Cyber Risk Insurance is an essential coverage for businesses of all sizes for protection from both criminal attacks such as phishing. Coverages vary widely, and so a thorough review is essential to ensure that comprehensive coverage is in place.